Content protected by an access control system CAS (for Conditional Access System) can be provided to a user according to different types of services, such as live broadcasting (TV Live), distribution on request (VoD, for Video on Demand) or replaying recorded content (PVR, for Personal Video Recorder, or NPVR, for Network Personal Video Recorder).
In all cases, the content provided to the user is initially scrambled by control words CWi and the operator controls the access to content by conditioning the obtaining of the control words to the holding by the user of a “commercial’ authorisation. To that effect, the operator attaches an access condition to the content which must be satisfied by the subscriber or by his equipment in order to be able to descramble this content.
Transmitting control words and the description of the access condition are carried out by specific access control messages, called ECM messages (Entitlement Control Message). Control words CWi are encrypted by a service key before being transmitted in the ECM messages. As is appreciated by those skilled in the art, the access condition includes one or more criteria programme cost, moral level threshold, etc.) which must be satisfied by the access rights (subscription, ticket, etc.) stored in the security processor or through agreements given by the user (agreement for Pay Per View, moral agreement, etc.). Transmitting the service key and access right is carried out by specific access control messages, called EMM messages (Entitlement Management Message).
At the level of the equipment of the user, the ECM messages are processed by the security processor in order to, in particular, check its security parameters and compare the access condition to the access rights that were recorded beforehand in a non-volatile memory of the security processor. If the access condition is satisfied by the access rights, the security processor restores, via decryption, each control word that it provides to the reception terminal, thus allowing for descrambling.
The security processor thus exchanges data with the reception terminal: in particular, it receives and processes EMM and ECM messages, and provides the control words allowing the content to be descrambled. In a well-known example, the security processor is a chip card and these exchanges of data between reception terminal and security processor are carried out via an interface that is compliant with the ISO 7816 standard.
This architectural principle, in which the invention is placed, also applies when the security processor is built into the reception terminal, or when it interfaces with, or is built into, an access control and descrambling module that is external to the reception terminal, such as a module that is compliant with the EN 50221 standard (“Common Interface Specification for Conditional Access”).
User equipment implementing access control according to this architecture principle can be subject to fraudulent use. One particular fraudulent use consists of exploiting the conditional access resources of the user equipment beyond its “normal” use by the user, either by unauthorised sharing of the use of the security processor (or “card sharing”), or by fraudulently redistributing the control words provided by the security processor (or “CW sharing”).
The shared use of the security processor of a user equipment, consists in soliciting the latter by several reception terminals via a bidirectional communications network. This use results in particular in the submission to the security processor of messages that are syntactically correct but in a number or diversity that is excessive in relation to what they usually are based on “normal” use of the system.
Redistributing control words consists in having several reception terminals benefit from the control words CWi obtained by one of them, via a communications network. This form of piracy is applicable especially when the control words CWi transit in clear between the security processor and the reception terminal. Tapping the interface of the security processor and of the reception terminal thus allows the control words to be intercepted and fraudulently redistributed to other reception terminals (“MacCormac Hack”), redistribution which can be carried out using a server which broadcasts the control words CWi or providing them as a response to the submission of ECM messages associated with the contents under consideration.
FIG. 1 schematically shows such a situation of fraudulent redistribution of control words.
In reference to FIG. 1, equipment 2 of a user includes a reception terminal 4 associated with a security processor 6 such as a chip card. Reception terminal 4 receives ECM from the headend and transmits (arrow 5) these ECM to security processor 6. Security processor 6 processes the ECM received in order to check the access conditions and decrypts the control words contained in these ECM, then transmits (arrow 8) the decrypted control words to reception terminal 4. These control words are likely to be intercepted fraudulently on the security processor/reception terminal interface then distributed fraudulently (arrows 12) by a pirate server 10 to reception terminals 14.
Solutions are known to fight against fraudulent uses of the “card sharing” or “OW sharing” type. For example, matching may be activated between security processor and reception terminal as described in French patents FR 2 866 772 and FR 2 866 773; control words may be sent in encrypted format by the security processor to the reception terminal as disclosed in patent application FR 2 882 208; the security processor can provide the reception terminal with, not the control words, but data allowing the terminal to reconstitute them as disclosed in patent application FR 2 876 858. However, these various solutions require, in addition to adapting the security processor, an adaptation of the reception terminals. If it is relatively easy to change a chip card, it is more restricting and more costly to change an existing stock of reception terminals in order to support these new features.
The purpose of the invention is to allow for the “tracking” of user equipment, typically their security processors, that are contributing to a system of sharing cards or redistributing control words, and therefore to allow the operator involved to identify, via means outside the system, the customer who holds such a user equipment that contributes to this piracy. Implementing this invention involves only adapting the security processor, without having to modify the existing reception terminals.
The proposed solution applies mainly in the case where the control words transit in a non-encrypted format over the interface between security processor and reception terminal. It can also be implemented when this interface is protected by encryption but remain latent in order to be reactivated in the case where this interface protection would be compromised.